fluxcoil wiki

Setup of RHDS 11 (red hat directory server) on rhel8, just for testing. See also: product docs

# setup rhel8u1GA

subscription-manager register
subscription-manager repos --disable='*' \
  --enable=dirsrv-11-for-rhel-8-x86_64-rpms

yum module install -y redhat-ds:11

# create an inf template file
dscreate create-template /root/instance_name.inf

# we call our instance fluxcoil.net
sed -ie 's,^;instance_name.*,instance_name = fluxcoil.net,' instance_name.inf
# configuring 'redhat23' as password
sed -ie 's,^;root_password.*,root_password = redhat23,' instance_name.inf
# we want the suffix to be created directly
sed -ie 's,^;create_suffix_entry.*,create_suffix_entry = True,' instance_name.inf
# our tree should be called dc=fluxcoil, dc=net
sed -ie 's,^;suffix.*,suffix = dc=fluxcoil\, dc=net,' instance_name.inf

# create the instance
dscreate from-file /root/instance_name.inf

# if required, open fw ports
# firewall-cmd --permanent --add-port={389/tcp,636/tcp}

# Start instance.  Behind the @, we have the 'instance_name'
systemctl enable --now dirsrv@fluxcoil.net

# for now using openldap client tools, test ldapsearch
ldapsearch -x -b dc=fluxcoil,dc=net '(cn=*)'
ldapsearch -x -b dc=fluxcoil,dc=net -D 'cn=Directory Manager' -W '(cn=*)'

# lets fill in some data
curl -o ldap_initial_datasets_rhds11.ldif \
  https://fluxcoil.net/files/puppet_scripts/ldap_initial_datasets_rhds11.ldif
ldapadd -x -D 'cn=Directory Manager' -W -f ldap_initial_datasets_rhds11.ldif

• setting up TLS/SSL
• setting up TLS/SSL

openssl rand -out /tmp/noise.bin 4096

certutil -S -x -d /etc/dirsrv/slapd-fluxcoil.net/ -z /tmp/noise.bin \
  -n "server-cert" -s "CN=$HOSTNAME" -t "CT,C,C" -m $RANDOM \
  --keyUsage digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
# use the password from /etc/dirsrv/slapd-fluxcoil.net/pin.txt

# verify cert name
certutil -L -d /etc/dirsrv/slapd-fluxcoil.net/ -n "server-cert" | egrep "Issuer|Subject"

dsconf -D "cn=Directory Manager" ldap://rhel8u1a.fluxcoil.net \
  config replace nsslapd-securePort=636 nsslapd-security=on
# as password use redhat23

# verify name and cert
dsconf -D "cn=Directory Manager" ldap://rhel8u1a.fluxcoil.net \
  security  certificate list

# configure rsa 
dsconf -D "cn=Directory Manager" ldap://rhel8u1a.fluxcoil.net \
  security rsa set --tls-allow-rsa-certificates on \
  --nss-token "internal (software)" --nss-cert-name Server-Cert

# restart instance
dsctl fluxcoil.net restart


echo 'TLS_CACERTDIR /etc/openldap/cacerts' >>/etc/openldap/ldap.conf
mkdir /etc/openldap/cacerts
cp /etc/dirsrv/slapd-fluxcoil.net/*.0 /etc/dirsrv/slapd-fluxcoil.net/ca.crt \
  /etc/openldap/cacerts

# with above instructions, our cert subject has just rhel8u1a and
# not the domain..
ldapsearch -x -b dc=fluxcoil,dc=net -H ldap://rhel8u1a  -ZZZ '(cn=*)'

# create the hashes, we will be using the
# cacert /etc/dirsrv/slapd-*/cacert.asc from RHDS
cp /etc/dirsrv/slapd-*/cacert.asc /etc/openldap/certs
cacertdir_rehash /etc/openldap/certs
# rhel8 and later have no cacertdir_rehash

# now configure the openldap client utilities to use the cacert
sed -ie 's,^TLS_CACERTDIR,#TLS_CACERTDIR,' /etc/openldap/ldap.conf
echo 'TLS_CACERT /etc/openldap/certs/cacert.asc' >>/etc/openldap/ldap.conf

# now verify tls works
ldapsearch -x -b dc=fluxcoil,dc=net -h rhel8u1a -ZZZ '(cn=*)'

# now with the secured connection, setting passwords works:
ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user0,ou=users,dc=fluxcoil,dc=net
ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user1,ou=users,dc=fluxcoil,dc=net

# verify bind with new password works
ldapsearch -x -b dc=fluxcoil,dc=net \
  -D 'cn=user0,ou=users,dc=fluxcoil,dc=net' -w redhat -ZZZ '(cn=*)'